From: Sasha Levin Date: Sat, 27 Apr 2019 15:37:26 +0000 (-0400) Subject: patches for 5.0 X-Git-Tag: v4.9.172~55 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae1557b4b22ab57e23e7a84cd0a00b937960264e;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 5.0 Signed-off-by: Sasha Levin --- diff --git a/queue-5.0/alsa-hda-realtek-move-to-act_init-state.patch b/queue-5.0/alsa-hda-realtek-move-to-act_init-state.patch new file mode 100644 index 00000000000..ecc61bbd798 --- /dev/null +++ b/queue-5.0/alsa-hda-realtek-move-to-act_init-state.patch @@ -0,0 +1,113 @@ +From ebe8c5500e361bb8083a820c77e92b6e4b42deff Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Wed, 3 Apr 2019 15:31:49 +0800 +Subject: ALSA: hda/realtek - Move to ACT_INIT state + +[ Upstream commit 8983eb602af511fc5822f5ff4a82074c68816fd9 ] + +It will be lose Mic JD state when Chrome OS boot and headset was plugged. +Just Implement of reset combo jack JD verb for ACT_PRE_PROBE state. +Intel test result was also failed. +It test passed until changed the initial state to ACT_INIT. +Mic JD will show every time. +This patch also changed the model name as 'alc-chrome-book' for +application of Chrome OS. + +Fixes: 10f5b1b85ed1 ("ALSA: hda/realtek - Fixed Headset Mic JD not stable") +Signed-off-by: Kailang Yang +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_realtek.c | 41 +++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index f061167062bc..a9f69c3a3e0b 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -5490,7 +5490,7 @@ static void alc_headset_btn_callback(struct hda_codec *codec, + jack->jack->button_state = report; + } + +-static void alc295_fixup_chromebook(struct hda_codec *codec, ++static void alc_fixup_headset_jack(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { + +@@ -5500,16 +5500,6 @@ static void alc295_fixup_chromebook(struct hda_codec *codec, + alc_headset_btn_callback); + snd_hda_jack_add_kctl(codec, 0x55, "Headset Jack", false, + SND_JACK_HEADSET, alc_headset_btn_keymap); +- switch (codec->core.vendor_id) { +- case 0x10ec0295: +- alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */ +- alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15); +- break; +- case 0x10ec0236: +- alc_update_coef_idx(codec, 0x1b, 0x8000, 1 << 15); /* Reset HP JD */ +- alc_update_coef_idx(codec, 0x1b, 0x8000, 0 << 15); +- break; +- } + break; + case HDA_FIXUP_ACT_INIT: + switch (codec->core.vendor_id) { +@@ -5530,6 +5520,25 @@ static void alc295_fixup_chromebook(struct hda_codec *codec, + } + } + ++static void alc295_fixup_chromebook(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ switch (action) { ++ case HDA_FIXUP_ACT_INIT: ++ switch (codec->core.vendor_id) { ++ case 0x10ec0295: ++ alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */ ++ alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15); ++ break; ++ case 0x10ec0236: ++ alc_update_coef_idx(codec, 0x1b, 0x8000, 1 << 15); /* Reset HP JD */ ++ alc_update_coef_idx(codec, 0x1b, 0x8000, 0 << 15); ++ break; ++ } ++ break; ++ } ++} ++ + static void alc_fixup_disable_mic_vref(struct hda_codec *codec, + const struct hda_fixup *fix, int action) + { +@@ -5684,6 +5693,7 @@ enum { + ALC285_FIXUP_LENOVO_PC_BEEP_IN_NOISE, + ALC255_FIXUP_ACER_HEADSET_MIC, + ALC295_FIXUP_CHROME_BOOK, ++ ALC225_FIXUP_HEADSET_JACK, + ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE, + ALC225_FIXUP_WYSE_AUTO_MUTE, + ALC225_FIXUP_WYSE_DISABLE_MIC_VREF, +@@ -6645,6 +6655,12 @@ static const struct hda_fixup alc269_fixups[] = { + [ALC295_FIXUP_CHROME_BOOK] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc295_fixup_chromebook, ++ .chained = true, ++ .chain_id = ALC225_FIXUP_HEADSET_JACK ++ }, ++ [ALC225_FIXUP_HEADSET_JACK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_jack, + }, + [ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE] = { + .type = HDA_FIXUP_PINS, +@@ -7143,7 +7159,8 @@ static const struct hda_model_fixup alc269_fixup_models[] = { + {.id = ALC255_FIXUP_DUMMY_LINEOUT_VERB, .name = "alc255-dummy-lineout"}, + {.id = ALC255_FIXUP_DELL_HEADSET_MIC, .name = "alc255-dell-headset"}, + {.id = ALC295_FIXUP_HP_X360, .name = "alc295-hp-x360"}, +- {.id = ALC295_FIXUP_CHROME_BOOK, .name = "alc-sense-combo"}, ++ {.id = ALC225_FIXUP_HEADSET_JACK, .name = "alc-headset-jack"}, ++ {.id = ALC295_FIXUP_CHROME_BOOK, .name = "alc-chrome-book"}, + {.id = ALC299_FIXUP_PREDATOR_SPK, .name = "predator-spk"}, + {} + }; +-- +2.19.1 + diff --git a/queue-5.0/block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch b/queue-5.0/block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch new file mode 100644 index 00000000000..d2b722f16f5 --- /dev/null +++ b/queue-5.0/block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch @@ -0,0 +1,143 @@ +From 6471bc7725e4ff233f56eeba295ed87c875fa9cb Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Wed, 10 Apr 2019 10:38:33 +0200 +Subject: block, bfq: fix use after free in bfq_bfqq_expire + +[ Upstream commit eed47d19d9362bdd958e4ab56af480b9dbf6b2b6 ] + +The function bfq_bfqq_expire() invokes the function +__bfq_bfqq_expire(), and the latter may free the in-service bfq-queue. +If this happens, then no other instruction of bfq_bfqq_expire() must +be executed, or a use-after-free will occur. + +Basing on the assumption that __bfq_bfqq_expire() invokes +bfq_put_queue() on the in-service bfq-queue exactly once, the queue is +assumed to be freed if its refcounter is equal to one right before +invoking __bfq_bfqq_expire(). + +But, since commit 9dee8b3b057e ("block, bfq: fix queue removal from +weights tree") this assumption is false. __bfq_bfqq_expire() may also +invoke bfq_weights_tree_remove() and, since commit 9dee8b3b057e +("block, bfq: fix queue removal from weights tree"), also +the latter function may invoke bfq_put_queue(). So __bfq_bfqq_expire() +may invoke bfq_put_queue() twice, and this is the actual case where +the in-service queue may happen to be freed. + +To address this issue, this commit moves the check on the refcounter +of the queue right around the last bfq_put_queue() that may be invoked +on the queue. + +Fixes: 9dee8b3b057e ("block, bfq: fix queue removal from weights tree") +Reported-by: Dmitrii Tcvetkov +Reported-by: Douglas Anderson +Tested-by: Dmitrii Tcvetkov +Tested-by: Douglas Anderson +Signed-off-by: Paolo Valente +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bfq-iosched.c | 15 +++++++-------- + block/bfq-iosched.h | 2 +- + block/bfq-wf2q.c | 17 +++++++++++++++-- + 3 files changed, 23 insertions(+), 11 deletions(-) + +diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c +index e5ed28629271..72510c470001 100644 +--- a/block/bfq-iosched.c ++++ b/block/bfq-iosched.c +@@ -2804,7 +2804,7 @@ static void bfq_dispatch_remove(struct request_queue *q, struct request *rq) + bfq_remove_request(q, rq); + } + +-static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq) ++static bool __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq) + { + /* + * If this bfqq is shared between multiple processes, check +@@ -2837,9 +2837,11 @@ static void __bfq_bfqq_expire(struct bfq_data *bfqd, struct bfq_queue *bfqq) + /* + * All in-service entities must have been properly deactivated + * or requeued before executing the next function, which +- * resets all in-service entites as no more in service. ++ * resets all in-service entities as no more in service. This ++ * may cause bfqq to be freed. If this happens, the next ++ * function returns true. + */ +- __bfq_bfqd_reset_in_service(bfqd); ++ return __bfq_bfqd_reset_in_service(bfqd); + } + + /** +@@ -3244,7 +3246,6 @@ void bfq_bfqq_expire(struct bfq_data *bfqd, + bool slow; + unsigned long delta = 0; + struct bfq_entity *entity = &bfqq->entity; +- int ref; + + /* + * Check whether the process is slow (see bfq_bfqq_is_slow). +@@ -3313,10 +3314,8 @@ void bfq_bfqq_expire(struct bfq_data *bfqd, + * reason. + */ + __bfq_bfqq_recalc_budget(bfqd, bfqq, reason); +- ref = bfqq->ref; +- __bfq_bfqq_expire(bfqd, bfqq); +- +- if (ref == 1) /* bfqq is gone, no more actions on it */ ++ if (__bfq_bfqq_expire(bfqd, bfqq)) ++ /* bfqq is gone, no more actions on it */ + return; + + bfqq->injected_service = 0; +diff --git a/block/bfq-iosched.h b/block/bfq-iosched.h +index 746bd570b85a..ca98c98a8179 100644 +--- a/block/bfq-iosched.h ++++ b/block/bfq-iosched.h +@@ -993,7 +993,7 @@ bool __bfq_deactivate_entity(struct bfq_entity *entity, + bool ins_into_idle_tree); + bool next_queue_may_preempt(struct bfq_data *bfqd); + struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd); +-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd); ++bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd); + void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq, + bool ins_into_idle_tree, bool expiration); + void bfq_activate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq); +diff --git a/block/bfq-wf2q.c b/block/bfq-wf2q.c +index 4aab1a8191f0..8077bf71d2ac 100644 +--- a/block/bfq-wf2q.c ++++ b/block/bfq-wf2q.c +@@ -1599,7 +1599,8 @@ struct bfq_queue *bfq_get_next_queue(struct bfq_data *bfqd) + return bfqq; + } + +-void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd) ++/* returns true if the in-service queue gets freed */ ++bool __bfq_bfqd_reset_in_service(struct bfq_data *bfqd) + { + struct bfq_queue *in_serv_bfqq = bfqd->in_service_queue; + struct bfq_entity *in_serv_entity = &in_serv_bfqq->entity; +@@ -1623,8 +1624,20 @@ void __bfq_bfqd_reset_in_service(struct bfq_data *bfqd) + * service tree either, then release the service reference to + * the queue it represents (taken with bfq_get_entity). + */ +- if (!in_serv_entity->on_st) ++ if (!in_serv_entity->on_st) { ++ /* ++ * If no process is referencing in_serv_bfqq any ++ * longer, then the service reference may be the only ++ * reference to the queue. If this is the case, then ++ * bfqq gets freed here. ++ */ ++ int ref = in_serv_bfqq->ref; + bfq_put_queue(in_serv_bfqq); ++ if (ref == 1) ++ return true; ++ } ++ ++ return false; + } + + void bfq_deactivate_bfqq(struct bfq_data *bfqd, struct bfq_queue *bfqq, +-- +2.19.1 + diff --git a/queue-5.0/cifs-fix-memory-leak-in-smb2_read.patch b/queue-5.0/cifs-fix-memory-leak-in-smb2_read.patch new file mode 100644 index 00000000000..372d10e880b --- /dev/null +++ b/queue-5.0/cifs-fix-memory-leak-in-smb2_read.patch @@ -0,0 +1,35 @@ +From f837e448c47f20117933a180dfad6250aad02315 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 23 Apr 2019 16:39:45 +1000 +Subject: cifs: fix memory leak in SMB2_read + +[ Upstream commit 05fd5c2c61732152a6bddc318aae62d7e436629b ] + +Commit 088aaf17aa79300cab14dbee2569c58cfafd7d6e introduced a leak where +if SMB2_read() returned an error we would return without freeing the +request buffer. + +Cc: Stable +Signed-off-by: Ronnie Sahlberg +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/smb2pdu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c +index 938e75cc3b66..85a3c051e622 100644 +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -3402,6 +3402,7 @@ SMB2_read(const unsigned int xid, struct cifs_io_parms *io_parms, + rc); + } + free_rsp_buf(resp_buftype, rsp_iov.iov_base); ++ cifs_small_buf_release(req); + return rc == -ENODATA ? 0 : rc; + } else + trace_smb3_read_done(xid, req->PersistentFileId, +-- +2.19.1 + diff --git a/queue-5.0/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch b/queue-5.0/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..250f36c8f71 --- /dev/null +++ b/queue-5.0/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch @@ -0,0 +1,99 @@ +From c921a41961d3ee46eb01044967eedf46489ce833 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 25 Apr 2019 22:24:05 -0700 +Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference + +[ Upstream commit 89189557b47b35683a27c80ee78aef18248eefb4 ] + +Syzkaller report this: + + sysctl could not get directory: /net//bridge -12 + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] + RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] + RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] + RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 + Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 + RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a + RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 + RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 + R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + erase_entry fs/proc/proc_sysctl.c:178 [inline] + erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 + start_unregistering fs/proc/proc_sysctl.c:331 [inline] + drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0x68/0x1000 [br_netfilter] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 68741688d5fbfe85 ]--- + +commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer +dereference in put_links") forgot to handle start_unregistering() case, +while header->parent is NULL, it calls erase_header() and as seen in the +above syzkaller call trace, accessing &header->parent->root will trigger +a NULL pointer dereference. + +As that commit explained, there is also no need to call +start_unregistering() if header->parent is NULL. + +Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com +Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing +Reported-by: Hulk Robot +Reviewed-by: Kees Cook +Cc: Luis Chamberlain +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/proc_sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c +index d65390727541..7325baa8f9d4 100644 +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1626,9 +1626,11 @@ static void drop_sysctl_table(struct ctl_table_header *header) + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + +-- +2.19.1 + diff --git a/queue-5.0/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch b/queue-5.0/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch new file mode 100644 index 00000000000..0beade8cf8d --- /dev/null +++ b/queue-5.0/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch @@ -0,0 +1,37 @@ +From 195806445dc8a91cd24ce88c6b4d2893d9e5b464 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 1 Mar 2019 10:09:55 +0200 +Subject: intel_th: gth: Fix an off-by-one in output unassigning + +[ Upstream commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f ] + +Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +fixes a NULL dereference for all masters except the last one ("256+"), +which keeps the stale pointer after the output driver had been unassigned. + +Fix the off-by-one. + +Signed-off-by: Alexander Shishkin +Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/intel_th/gth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwtracing/intel_th/gth.c b/drivers/hwtracing/intel_th/gth.c +index cc287cf6eb29..edc52d75e6bd 100644 +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -616,7 +616,7 @@ static void intel_th_gth_unassign(struct intel_th_device *thdev, + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); +-- +2.19.1 + diff --git a/queue-5.0/netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch b/queue-5.0/netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch new file mode 100644 index 00000000000..5801ed8320b --- /dev/null +++ b/queue-5.0/netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch @@ -0,0 +1,63 @@ +From 2e8c16fd1fdf0088cbbde5e050f92cc197bf38b8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 14 Mar 2019 10:50:20 +0100 +Subject: netfilter: nf_tables: bogus EBUSY in helper removal from transaction + +[ Upstream commit 8ffcd32f64633926163cdd07a7d295c500a947d1 ] + +Proper use counter updates when activating and deactivating the object, +otherwise, this hits bogus EBUSY error. + +Fixes: cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase") +Reported-by: Laura Garcia +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_objref.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c +index d8737c115257..bf92a40dd1b2 100644 +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -64,21 +64,34 @@ nla_put_failure: + return -1; + } + +-static void nft_objref_destroy(const struct nft_ctx *ctx, +- const struct nft_expr *expr) ++static void nft_objref_deactivate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ enum nft_trans_phase phase) + { + struct nft_object *obj = nft_objref_priv(expr); + ++ if (phase == NFT_TRANS_COMMIT) ++ return; ++ + obj->use--; + } + ++static void nft_objref_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_object *obj = nft_objref_priv(expr); ++ ++ obj->use++; ++} ++ + static struct nft_expr_type nft_objref_type; + static const struct nft_expr_ops nft_objref_ops = { + .type = &nft_objref_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_object *)), + .eval = nft_objref_eval, + .init = nft_objref_init, +- .destroy = nft_objref_destroy, ++ .activate = nft_objref_activate, ++ .deactivate = nft_objref_deactivate, + .dump = nft_objref_dump, + }; + +-- +2.19.1 + diff --git a/queue-5.0/netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch b/queue-5.0/netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch new file mode 100644 index 00000000000..5428e4c4c77 --- /dev/null +++ b/queue-5.0/netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch @@ -0,0 +1,223 @@ +From cde4a3e910919f5b01be7dfa728ee735fa8f9937 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 8 Mar 2019 15:30:03 +0100 +Subject: netfilter: nf_tables: bogus EBUSY when deleting set after flush +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 273fe3f1006ea5ebc63d6729e43e8e45e32b256a ] + +Set deletion after flush coming in the same batch results in EBUSY. Add +set use counter to track the number of references to this set from +rules. We cannot rely on the list of bindings for this since such list +is still populated from the preparation phase. + +Reported-by: Václav Zindulka +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + include/net/netfilter/nf_tables.h | 6 ++++++ + net/netfilter/nf_tables_api.c | 28 +++++++++++++++++++++++++++- + net/netfilter/nft_dynset.c | 13 +++++++++---- + net/netfilter/nft_lookup.c | 13 +++++++++---- + net/netfilter/nft_objref.c | 13 +++++++++---- + 5 files changed, 60 insertions(+), 13 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 0612439909dc..9e0b9ecb43db 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -382,6 +382,7 @@ void nft_unregister_set(struct nft_set_type *type); + * @dtype: data type (verdict or numeric type defined by userspace) + * @objtype: object type (see NFT_OBJECT_* definitions) + * @size: maximum set size ++ * @use: number of rules references to this set + * @nelems: number of elements + * @ndeact: number of deactivated elements queued for removal + * @timeout: default timeout value in jiffies +@@ -407,6 +408,7 @@ struct nft_set { + u32 dtype; + u32 objtype; + u32 size; ++ u32 use; + atomic_t nelems; + u32 ndeact; + u64 timeout; +@@ -467,6 +469,10 @@ struct nft_set_binding { + u32 flags; + }; + ++enum nft_trans_phase; ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, ++ struct nft_set_binding *binding, ++ enum nft_trans_phase phase); + int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *binding); + void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index acb124ce92ec..e2aac80f9b7b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3624,6 +3624,9 @@ err1: + + static void nft_set_destroy(struct nft_set *set) + { ++ if (WARN_ON(set->use > 0)) ++ return; ++ + set->ops->destroy(set); + module_put(to_set_type(set->ops)->owner); + kfree(set->name); +@@ -3664,7 +3667,7 @@ static int nf_tables_delset(struct net *net, struct sock *nlsk, + NL_SET_BAD_ATTR(extack, attr); + return PTR_ERR(set); + } +- if (!list_empty(&set->bindings) || ++ if (set->use || + (nlh->nlmsg_flags & NLM_F_NONREC && atomic_read(&set->nelems) > 0)) { + NL_SET_BAD_ATTR(extack, attr); + return -EBUSY; +@@ -3694,6 +3697,9 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, + struct nft_set_binding *i; + struct nft_set_iter iter; + ++ if (set->use == UINT_MAX) ++ return -EOVERFLOW; ++ + if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) + return -EBUSY; + +@@ -3721,6 +3727,7 @@ bind: + binding->chain = ctx->chain; + list_add_tail_rcu(&binding->list, &set->bindings); + nft_set_trans_bind(ctx, set); ++ set->use++; + + return 0; + } +@@ -3740,6 +3747,25 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, + } + EXPORT_SYMBOL_GPL(nf_tables_unbind_set); + ++void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, ++ struct nft_set_binding *binding, ++ enum nft_trans_phase phase) ++{ ++ switch (phase) { ++ case NFT_TRANS_PREPARE: ++ set->use--; ++ return; ++ case NFT_TRANS_ABORT: ++ case NFT_TRANS_RELEASE: ++ set->use--; ++ /* fall through */ ++ default: ++ nf_tables_unbind_set(ctx, set, binding, ++ phase == NFT_TRANS_COMMIT); ++ } ++} ++EXPORT_SYMBOL_GPL(nf_tables_deactivate_set); ++ + void nf_tables_destroy_set(const struct nft_ctx *ctx, struct nft_set *set) + { + if (list_empty(&set->bindings) && nft_set_is_anonymous(set)) +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index f1172f99752b..eb7f9a5f2aeb 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -241,11 +241,15 @@ static void nft_dynset_deactivate(const struct nft_ctx *ctx, + { + struct nft_dynset *priv = nft_expr_priv(expr); + +- if (phase == NFT_TRANS_PREPARE) +- return; ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_dynset_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_dynset *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding, +- phase == NFT_TRANS_COMMIT); ++ priv->set->use++; + } + + static void nft_dynset_destroy(const struct nft_ctx *ctx, +@@ -293,6 +297,7 @@ static const struct nft_expr_ops nft_dynset_ops = { + .eval = nft_dynset_eval, + .init = nft_dynset_init, + .destroy = nft_dynset_destroy, ++ .activate = nft_dynset_activate, + .deactivate = nft_dynset_deactivate, + .dump = nft_dynset_dump, + }; +diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c +index 14496da5141d..161c3451a747 100644 +--- a/net/netfilter/nft_lookup.c ++++ b/net/netfilter/nft_lookup.c +@@ -127,11 +127,15 @@ static void nft_lookup_deactivate(const struct nft_ctx *ctx, + { + struct nft_lookup *priv = nft_expr_priv(expr); + +- if (phase == NFT_TRANS_PREPARE) +- return; ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_lookup_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_lookup *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding, +- phase == NFT_TRANS_COMMIT); ++ priv->set->use++; + } + + static void nft_lookup_destroy(const struct nft_ctx *ctx, +@@ -222,6 +226,7 @@ static const struct nft_expr_ops nft_lookup_ops = { + .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)), + .eval = nft_lookup_eval, + .init = nft_lookup_init, ++ .activate = nft_lookup_activate, + .deactivate = nft_lookup_deactivate, + .destroy = nft_lookup_destroy, + .dump = nft_lookup_dump, +diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c +index ae178e914486..d8737c115257 100644 +--- a/net/netfilter/nft_objref.c ++++ b/net/netfilter/nft_objref.c +@@ -161,11 +161,15 @@ static void nft_objref_map_deactivate(const struct nft_ctx *ctx, + { + struct nft_objref_map *priv = nft_expr_priv(expr); + +- if (phase == NFT_TRANS_PREPARE) +- return; ++ nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); ++} ++ ++static void nft_objref_map_activate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr) ++{ ++ struct nft_objref_map *priv = nft_expr_priv(expr); + +- nf_tables_unbind_set(ctx, priv->set, &priv->binding, +- phase == NFT_TRANS_COMMIT); ++ priv->set->use++; + } + + static void nft_objref_map_destroy(const struct nft_ctx *ctx, +@@ -182,6 +186,7 @@ static const struct nft_expr_ops nft_objref_map_ops = { + .size = NFT_EXPR_SIZE(sizeof(struct nft_objref_map)), + .eval = nft_objref_map_eval, + .init = nft_objref_map_init, ++ .activate = nft_objref_map_activate, + .deactivate = nft_objref_map_deactivate, + .destroy = nft_objref_map_destroy, + .dump = nft_objref_map_dump, +-- +2.19.1 + diff --git a/queue-5.0/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch b/queue-5.0/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch new file mode 100644 index 00000000000..8c541ac1e62 --- /dev/null +++ b/queue-5.0/powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch @@ -0,0 +1,37 @@ +From 0e20067714cf44e7cdf36ab315b814192e28d9ca Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Thu, 4 Apr 2019 12:20:05 +0000 +Subject: powerpc/vdso32: fix CLOCK_MONOTONIC on PPC64 + +[ Upstream commit dd9a994fc68d196a052b73747e3366c57d14a09e ] + +Commit b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC +inconsistencies across Y2038") changed the type of wtom_clock_sec +to s64 on PPC64. Therefore, VDSO32 needs to read it with a 4 bytes +shift in order to retrieve the lower part of it. + +Fixes: b5b4453e7912 ("powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038") +Reported-by: Christian Zigotzky +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/vdso32/gettimeofday.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/vdso32/gettimeofday.S b/arch/powerpc/kernel/vdso32/gettimeofday.S +index 1e0bc5955a40..afd516b572f8 100644 +--- a/arch/powerpc/kernel/vdso32/gettimeofday.S ++++ b/arch/powerpc/kernel/vdso32/gettimeofday.S +@@ -98,7 +98,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime) + * can be used, r7 contains NSEC_PER_SEC. + */ + +- lwz r5,WTOM_CLOCK_SEC(r9) ++ lwz r5,(WTOM_CLOCK_SEC+LOPART)(r9) + lwz r6,WTOM_CLOCK_NSEC(r9) + + /* We now have our offset in r5,r6. We create a fake dependency +-- +2.19.1 + diff --git a/queue-5.0/series b/queue-5.0/series new file mode 100644 index 00000000000..389b5419858 --- /dev/null +++ b/queue-5.0/series @@ -0,0 +1,8 @@ +netfilter-nf_tables-bogus-ebusy-when-deleting-set-af.patch +netfilter-nf_tables-bogus-ebusy-in-helper-removal-fr.patch +intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch +powerpc-vdso32-fix-clock_monotonic-on-ppc64.patch +alsa-hda-realtek-move-to-act_init-state.patch +fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch +block-bfq-fix-use-after-free-in-bfq_bfqq_expire.patch +cifs-fix-memory-leak-in-smb2_read.patch